Wednesday, October 18, 2017

A Healthcare Breach Is Next: How Healthcare IT Pros Can Better Protect Their Organisation in 2017 and beyond

by Joe Kim, CTO, SolarWinds

It’s estimated that the cybersecurity market will grow to $170 billion (USD) by 2020, but the impact of a cyberattack isn’t always financial, particularly when it comes to healthcare breaches.

Cybercriminals are often in it for the money, and this is even truer when it comes to healthcare organisations. Health credentials can go for $10 each, which is 10 to 20 times the value a cybercriminal can get for a credit card number. But the impact a breach can have on a hospital or a doctor’s surgery can be far worse than just monetary.


Learn from the past

Earlier this year, hundreds of planned operations and outpatient appointments were cancelled across Lincolnshire at three UK hospitals managed by the North Lincolnshire and Goole trust, after a computer virus infected critical systems. The incident resulted in officials having to declare a “major incident.”

The trust, which runs hospitals in Goole, Grimsby, and Scunthorpe, had to cancel operations, experienced difficulty processing blood tests and accessing historical test results, and struggled to identify blood for blood transfusions.

This incident is one example of how a healthcare cybersecurity breach could directly impact patients.


This is just the start for healthcare breaches

Occurrences like these are becoming more common throughout healthcare organisations across the world, and the impact can be far worse than a traditional breach. An attack aimed at a healthcare practice could lead to a medical device being compromised, or even a hospital machine being taken over, resulting in operations being cancelled or patient data being compromised.

All of this, combined with growing threats like ransomware, has caused IT pros who work in healthcare to become more concerned about security than ever before.

However, despite this fear being very real, some healthcare organisations lack basic cyber essentials, with some still running on Windows XPâ, and many devices not having basic antivirus software.

With high profile hacks constantly being reported, there has been a shift in focus for the enterprise, but this hasn’t been reflected within the public sector.


Change the mentality

Healthcare IT teams are already at a disadvantage because they tend to be such huge organisations with so many entry points, from hospitals to doctor’s surgeries. This makes it incredibly difficult for the IT team to keep the network safe and secure.

Healthcare organisations are often the most cash-strapped, and it’s difficult for IT managers to put a business case forward for more investment in IT security when they themselves haven’t been affected, yet. Often, the board takes an “if it ain’t broke, don’t fix it” approach.

Many IT departments within healthcare organisations are constantly flagging these concerns, and feel that security is being neglected. Ultimately, due to a lack of investment, healthcare IT pros aren’t confident that they could prevent their trust from a severe breach should they be attacked.

The bottom line is this: it appears British healthcare organisations are living under the assumption that the board will only start prioritising security after a significant breach occurs. But how bad does it need to get in order for something to be done? It’s time for a mentality shift.

There hasn’t been the equivalent of a Talk Talk or Ashley Madison breach within the public sector, yet, however it’s not far off. Waiting for this to happen before acting is only going to increase the potential damage.

It’s vital that healthcare organisations take the same approach larger enterprises have done by learning from previous breaches and investing in security.

However, while this mentality shift gets underway, there is work IT pros can be doing to protect the network that requires little investment.


Educate the workforce to gain senior buy-in

Unknown devices are often connected to the network because employees enjoy being able to use their own devices and don’t consider the cybersecurity risks of doing so.

A large part of this is because they aren’t aware of what could happen if their mobile device was hacked. They struggle to make the connection that it could, in fact, give a cybercriminal access to the network.

It’s therefore imperative that the healthcare IT team not only have an overview of what devices are connected to the network, and what employees are accessing, but also that there is an awareness programme underway to inform employees of the impact a breach could have.

The average employee doesn’t understand security threats, so such a programme would need to encompass education and enforcement. For example, if healthcare workers were shown how hackers can access a worker’s phone and infiltrate the network, they would be much more aware of the implications of a breach and understand how easy it can happen.

Likewise, this would start a dialogue among healthcare employees and make them start to prioritise security, giving the IT department a better chance of protecting the organisation from a breach, and also gaining buy-in from senior leadership.

There is an expectation that healthcare IT pros will be able to protect their organisation from a security breach. But ultimately, you could have the savviest security professional of all time protecting the organisation, but without the right solutions they are extremely limited in what they can do.

To protect healthcare organisations from catastrophic breaches, funding, investment, and co-operation from employees is required.